SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
'Flashlight' Trojan targets Australian banking apps, takes pictures of victims
Mon, 24th Apr 2017
FYI, this story is more than a year old

Android users are being warned about a fake flashlight app on Google Play that is targeting Australian banking apps.

The fake app, called ‘Flashlight LED Widget', has been downloaded by 5000 users. According to ESET researchers, the app is also able to adjust its functionality to targeted an unlimited number of apps on the victim's device.

So far it has been detected targeting banking apps from Commbank, NAB and Westpac in order to steal banking credentials. It has also targeted Facebook, WhatsApp, Instagram and Google Play.

The app, discovered to be Trojan.Android/Charger.B, was uploaded to Google Play on March 30. On April 10, it was pulled from the store on ESET's notice.

According to researchers, the Trojan is a variant of a malware originally used to deliver ransomware - the switch to bank phishing is apparently ‘rare' in the Android malware world.

The Trojan does actually act as a flashlight, but it also has embedded command - control (C-C) functionalities that can send fake screens that mimic real apps, lock infected devices, intercept SMS and display fake notifications that can bypass two-factor authentication.

It can also use HTML code that is based on apps installed on the device to display fake screen overlays once they are launched, ESET says.

The Trojan works by asking for device administrator rights as soon as it is launched. After permissions are granted, the app hides its icon and displays only as a widget.

It then registers the infected device on the attacker's server and provides information about the phone. It even goes one step further and attaches a picture of the device owner, which has been taken by the front camera.

According to ESET, if the server detects that the infected device is in Belarus, Russia or Ukraine, the Trojan stops all its activity. Researchers suspect this gives an indication of where the attackers are located, as they may be wanting to avoid prosecution in their home countries.

ESET researchers have also noted that the Trojan uses Firebase Cloud Messages to communicate with C-C - the very first time a malware has used this as a communication channel.

ESET recommends that all users who have downloaded a flashlight app check to see if it is legitimate.  This particular malicious app can be found in Setting > Application Manager/Apps > Flashlight Widget.

Uninstalling the widget is much more difficult, as the Trojan attempts to stop users from turning off the active device administrator.

“When trying to deactivate the rights, the pop-up screen doesn't go away until you change your mind and click 'activate' again,” researchers report.

ESET recommends that users boot their devices in Safe mode, which will help uninstall the Trojan.

In addition, ESET recommends that users choose only official app stores. When downloading apps, check app popularity, ratings and what people are saying in reviews.

Be wary of what permissions apps ask for. If a flashlight app asks for device administrator rights, consider uninstalling the app immediately. Finally, use up-to-date mobile security solutions.